The GDPR (General Data Protection Regulation) is the European regulation in force since May 25, 2018, aimed at strengthening citizens’ control over their personal data (name, address, etc.) and holding companies accountable. It imposes strict rules on the collection and storage of data for both public and private entities. Its objective is to harmonize data protection rules within the EU and to protect privacy.
- Scope of application: Applies to any organization (company, association, etc.) that processes the personal data of EU residents.
- Rights of individuals: Right of access, rectification, erasure (right to be forgotten), portability, and objection.
- Obligations: Maintain a record of processing activities, ensure data security, and report data breaches to the CNIL.
- Sanctions: Very significant fines may be imposed by supervisory authorities in case of non-compliance.
The CNIL remains particularly active, with 87 sanctions imposed in 2024.
- France Travail (January 2026): Fined 5 million euros for serious breaches of users’ data security.
- Orange (November 2024): Fine of 50 million euros for the display of intrusive advertising in messaging services.
It is based on six fundamental principles, which can be found on the CNIL website:
1. Collect only the data that is truly necessary to achieve your objective
Data is collected for a specific and legitimate purpose and is not subsequently processed in a way that is incompatible with that original purpose.
The principle of purpose limitation restricts how you may use or reuse the data in the future and prevents the collection of data “just in case.”
The principle of data minimization limits collection to only the data that is strictly necessary to achieve your objective.
2. Be transparent
Individuals must retain control over the data concerning them. This requires that they be clearly informed, at the time of collection, about how their data will be used. Data must never be collected without their knowledge. Individuals must also be informed of their rights and how to exercise them.
3. Organize and facilitate the exercise of individuals’ rights
You must put in place arrangements that allow individuals to exercise their rights and respond as quickly as possible to requests for consultation or access, rectification or deletion of data, or objection, unless the processing is required by law (for example, a citizen cannot object to being included in a civil status register). These rights must be exercisable electronically via a dedicated address.
4. Set retention periods
You may not keep data indefinitely.
Data is kept in the “active database” (i.e., for current management) only for the time strictly necessary to achieve the intended purpose. It must then be deleted, anonymized, or archived in compliance with applicable legal obligations regarding the retention of public archives.
5. Secure the data and identify risks
You must take all appropriate measures to guarantee data security: physical security and IT security, securing premises, cabinets, and workstations, and strict management of authorizations and IT access rights. This also involves ensuring that only third parties authorized by law have access to the data. These measures must be adapted according to the sensitivity of the data and the risks that may affect individuals in the event of a security incident.
6. Embed compliance in a continuous process
Compliance is not set in stone.
It depends on daily adherence, at all levels, by staff to the principles and measures implemented.
Regularly check that processing activities have not changed, that procedures and security measures are being followed, and adapt them if necessary.
THE DPO
The DPO (Data Protection Officer) is an expert responsible for ensuring GDPR compliance within an organization. They advise management, raise staff awareness, maintain the record of processing activities, and act as the link with the CNIL, thereby protecting the personal data processed. They act as a conductor of compliance, informing and advising the data controller. Their tasks include maintaining the processing register, carrying out impact assessments (DPIA), managing data breaches, and cooperating with the CNIL. Appointment is mandatory for public bodies, organizations processing sensitive data on a large scale, or carrying out regular monitoring of individuals. The DPO may be internal (employee) or external (service provider). The DPO must be certified.
Appointment of a DPO is mandatory for:
- All public authorities (ministries, town halls, etc.).
- Organizations carrying out regular and systematic large-scale monitoring (e.g., banks, insurance companies).
- Structures processing sensitive data on a large scale (e.g., hospitals for health data).
Status and skills
- Internal or external: The DPO may be an employee or an external service provider (consultant, lawyer).
- Independence: They must act without receiving instructions on how to perform their duties and cannot be sanctioned for carrying them out.
- Certification: Although not mandatory to practice, the CNIL offers a skills certification framework to validate professional expertise.
Reporting obligations in the event of an incident (Data Breach):
- Notification to the CNIL: Mandatory if the incident presents a risk to individuals’ rights and freedoms (e.g., loss, theft, unauthorized access, or destruction of data).
- Deadline: Within a maximum of 72 hours after discovery.
- Content: Nature of the breach, categories of data, number of people concerned, likely consequences, and measures taken to remedy the incident.
- Information to individuals: Mandatory if the breach entails a high risk (identity of the data, risks incurred, measures taken).
- Breach register: Even if notification to the CNIL is not required, every incident must be documented internally.
Other reporting and documentation obligations:
- Compliance documentation: Obligation to keep a processing register and to justify compliance (accountability principle).
- DPIA (Impact Assessment): Mandatory before processing if it is likely to result in a high risk to individuals.
- DPO: The end of a DPO’s assignment must be reported promptly to the CNIL.
Failure to comply with these obligations may result in fines of up to 4% of global turnover or 20 million euros.
(cnil.fr)